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Wc consider the problem of detecting whether an attacker measures the amount of traffic 
sent over a communication channel — possibly without extracting information about the 
transmitted data. A basic approach for designing a quantum protocol for detecting a 
perpetual traffic analysis of this kind is described. 
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1. Introduction 

Within classical cryptography it is a well-known phenomenon that a communication chan- 
nel can be eavesdropped without affecting the transmitted data. In recent years techniques 
have been developed which exploit the quantum properties of the microphysical world in 
order to deal with this problem. One of the most prominent among these methods is the 
protocol for quantum key distribution described by Bennett and Brassardl. By means 
of such quantum protocols it is possible to ensure that an eavesdropper who tries to get 
knowledge of the transmitted data can be detected with high probability. However, an 
interesting aspect of eavesdropping which does not seem to be covered by the quantum 
protocols suggested so far is traffic analysis: think of an attacker who is only interested 
in analyzing the amount of traffic sent over a channel, i.e., the attacker is only interested 
in knowing how much data is transmitted and not necessarily in reading the transmitted 
information itself. 

If the communication channel is part of a network then one approach to thwart such 
a traffic analysis is to conceal the identity of the recipient of the transmitted data (cf., 
e.g., Rackoff and Simona and the references given there). In case of an "isolated" com- 
munication channel the situation is much worse — if the existence of the channel cannot 
be kept secret (say by means of steganographic techniques) the classical approach to cir- 
cumvent an analysis of the amount of meaningful data sent over the channel is to keep 
the communication channel busy all the time. This means that data is sent continuously, 
and the legitimate users of the channel have to separate the relevant from the "dummy" 
data via a suitable (secret) synchronization. No other solution to this problem seems to 
be known — e. g., Rackoff and Simona state "In other words, any secret regarding the total 
volume of information sent or received by a party is purchased at the cost of the extra 
'dummy traffic' generated to disguise it." 
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2 On Using Quantum Protocols to Detect Traffic Analysis 

In this contribution we describe a simple quantum protocol which under suitable as- 
sumptions enables the legitimate users of a quantum channel to detect with high prob- 
ability whether the traffic on a quantum channel is analyzed — even if the attacker does 
not try to read the transmitted data. We are not aware of a classical analogue of such a 
procedure. However, we emphasize that in the present form, the protocol is not suitable 
for practical cryptographic use, as e.g., topics like authentication, noisy communication 
channels, or efficiency are not taken into account. Nevertheless, we think the described 
protocol to be of interest, as it might point out a new application of quantum physical 
phenomena for cryptographic purposes. 

Roughly speaking, the idea of the protocol is as follows: as carrier of the information 
to be transmitted we think of using an inner degree of freedom of some particle (like 
the polarization of a photon) or different types of particles for representing zero and one. 
Then to transmit a bit, first the wave function of the particle carrying the information 
is split up into two parts, and one of these parts is transmitted over the communication 
channel; the other part is kept secret by the sender. At no time more than one wave 
package is present on the communication channel. The receiving party chooses at random 
whether the transmitted bit is received or mirrored back to the sender — in the latter case 
the corresponding bit is sent again in the next step. If no attack takes place and a wave 
package is returned, then there will be interference between a returned wave package and 
the wave package retained by the sender. As an observation of the channel causes a partial 
collapse of the wave function, a traffic analysis destroys this interference. 

2. A Quantum Protocol for Detecting Traffic Analysis 

Following the established terminology, the communicating parties will be refered to as 
Alice and Bob in the sequel. Moreover, the attacker who is interested in analyzing the 
traffic on the communication channel between Alice and Bob will be called Tracy. We 
avoid the name Eve, as Tracy is not necessarily interested in eavesdropping the channel, 
i.e., obtaining the transmitted information as such. Instead, she may restrict her interest 
on learning the number of transmitted bits. 

2.1. Statement of the protocol 

Let us suppose that Alice wants to send a message to = m\ . . . m n to Bob (we assume the 
m^s to be individual bits, but one could as well use a coarser subdivision of to). Moreover, 
Alice would like to know whether Tracy is analyzing the communication channel while to 
is being sent to Bob. If n is not too small, then informally the technical apparatus and 
a protocol for doing so can be described as follows (for a more formal treatment see 
Section 2.2): 
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Technical apparatus 

• Alice has a source for producing single particles, and she can encode a bit value in 
an inner degree of freedom of such a particle (as an example we may think of the 
polarization of a photon). Alternatively one can also think of using different types 
of particles for encoding zero and one. Moreover, Alice has a 50:50 beam splitter B\ 
which splits a particle into two wave packages without affecting this inner degree of 
freedom, and she is able to store one such wave package in her laboratory. Finally, 
she has a 50:50 beam splitter 2? 2 where a wave package received on the channel and 
a wave package stored in her laboratory can meet in such a way that in one branch 
constructive and in the other branch destructive interference occurs. By means of a 
detector C in the "constructive branch" and a detector T> in the "destructive branch" 
Alice can decide whether a particle is present in one of the branches. 

• Bob needs a switchable device which either mirrors a wave package on the channel 
back to Alice without detecting the presence of the package, or reads out the inner 
degree of freedom of a particle on the channel without returning anything. 

Initialization 

We assume that Alice and Bob have agreed upon a time t\ where the transmission of Alice 
is to begin. By A G K. we denote the time required by a particle for passing from Alice 
to Bob back to Alice. Alice and Bob can use A to synchronize their transmissions in such 
a way that there is at no time more than one wave package present on the channel, and 
Alice can make use of A to carry out her interference experiments correctly. Finally, Alice 
initializes a variable a <— for counting the number of transmitted wave packages, and 
Bob initializes a boolean variable b <— true. 

Transmission protocol 

For i <— [1, . . . , n] Alice proceeds as follows to transmit bit m, to Bob: 

1. Alice produces a single particle P and encodes nij in an inner degree of freedom of P. 
Then she passes P through the beam splitter B\ and retains one of the two resulting 
wave packages in her private laboratory. The other wave package is transmitted 
to Bob over the communcication channel at time ti = t\ + a ■ A. Then Alice sets 
a <— a + 1. 

2. lib = true then Bob selects r G {true, false} at random. Otherwise, i. e., for b = false, 
the value of r remains unchanged. 

3. If r = true then Bob mirrors the wave package back to Alice. Otherwise he reads out 
the inner degree of freedom of the potentially present particle on the communication 
channel. 

4. Bob sets (b, r) <— (not b, not r). 

5. Using the beam splitter Bi Alice brings the wave package potentially returned by 
Bob and the wave package stored in her laboratory into interference. Let Cj resp. 
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Dj (1 < j < a) be the random variable describing the number of particles (0 or 1) 
detected in detector C resp. V in Alice's j th interference experiment. 

6. If a is even then Alice tests the following hypothesis: 

the vector valued random variables (C2j-i,C2j,D2j-i,D2j) (where 1 < j < a/2) 
are identically independently distributed with the probability distribution 
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for all other x. 

If this hypothesis has to be rejected with high probability then Tracy is assumed to 
analyze the communication channel and the protocol is aborted. 

7. If C a + D a = then Alice assumes that the transmission of bit rrii is complete, i. e., 
that Bob has succeeded in receiving m^. Otherwise, i. e., if C a + D a ^ 0, Alice goes 
back to Step 1 — thereby retransmitting m,. 

Before explaining and analyzing the above protocol in more detail we would like to em- 
phasize again that in the above simple form the protocol is not suitable for practical 
cryptographic use. In particular it does not take the problem of authentication into ac- 
count; also it is assumed that the communication channel is perfect. Similarly, for ease 
of presentation, in Step 6 of the above protocol, Alice does not check whether a detected 
particle indeed encodes the bit m,. 

2.2. Explanation and analysis of the protocol 

To explain the protocol we introduce some notation. For sake of simplicity for the moment 
we restrict ourselves to an informal explanation of the individual steps of the protocol; a 
more rigorous treatment is postponed until later. 

By Q we denote the Hilbert space corresponding to the particle's inner degrees of 
freedom and by H the Hilbert space spanned by the following three basis states: 

1. \a): the particle P is in Alice's laboratory 

2. |c): the particle P is in the communication channel 

3. \b): the particle P is in Bob's laboratory 

In the first step of the protocol Alice prepares the state 

-L(|a) + |c»®K> (1) 



R. Steinwandt, D. Janzing, and Th. Beth 5 



where \rrii} G Q stands for the inner state representing the bit m^. 

In the Steps 2-4 the role of Bob's boolean variables b and r is as follows: the variable 
b is used to group the transmitted wave packages of Alice into pairs in such a way that for 
j G N arbitrary either the (2j — l) st or the (2j) th wave package (but never both of them) is 
mirrored back to Alice: b = true rcsp. b — false means that currently a "first" ((2j — l) st ) 
resp. "second" ((2j) th ) element of a pair is processed by Bob. The random choice of r in 
Step 2 is used to decide at random whether the first or second wave package of the current 
pair is mirrored back. Note that the decision whether to return the first or second package 
is made independently for each individual pair, and we assume that mirroring back the 
wave package does not alter the state (|l|). 

In Step 3 if r = false then Bob attempts to read out the inner degree of freedom of 
the potentially present particle. For this the wave package enters his laboratory which 
translates into transforming the state @) into 

-^=(|a) + |6» ® K). (2) 

Reading out the inner degree of freedom then means to perform a measurement on the 
state (H). This measurement is described by the following three projectors: 

1. Qo: Projection on the one-dimensional subspace spanned by \b) <g> |0) eH® Q — Bob 
receives rrij = 0. 

2. Q\. Projection on the one-dimensional subspace spanned by \b) <£> |1) G Ji® Q — Bob 
receives rrii = 1. 

3. Q e := (1 — <S> 1 — Bob does not detect a particle at all. 

In the sequel the corresponding measurement outcomes are denoted by 0, 1, and e. 

Finally, to see why Alice's hypothesis in Step 6 is not rejected with high probability 
reduces to computing the five non-zero probabilities occuring in the hypothesis: 

• p((C2j-i, C 2 j, Dij-i, D 2 j) — (1,1,0,0)) = 1/4: w. 1. o. g. we assume that Bob mea- 
sures the bit transmitted in the (2j — l) st transmission. Then the result Cij-\ = 1 
is only possible if Bob's measurement yields the result e. In this case we have 
C-zj-x = 1 with probability 1/2. Since the result e has probability 1/2 as well, we 
obtain p((C2j-x, C%j, D 2 j-i, D 2 j) — (1,1,0,0)) = 1/4 as required. 

• p((C2j-i,C2j,D 2 j-i,D 2 j) = (1,0,0,0)) = 1/4: from C 2j = Owe conclude that 
Bob measured the 2j th transmission. This choice occurs with probability 1/2 and 
also guarantees C 2 j~i = 1 and D 2 j^i — 0. As C 2 j = D 2 j = 0, the result of Bob's 
measurement is different from e; the latter event has probability 1/2. So in summary 
wegetp((C 2j _i,C2 i ,£>2j-i,-D 2j ) = (1,0,0,0)) = 1/4. 

• p({C 2 j-i,C 2 j, D 2 j-i 7 D 2 j) = (0,1,0,0)) = 1/4: the same argument as in the previ- 
ous case with 2j and 2j — 1 interchanged. 
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• p((C2j-i > C2j > D 2 j-i,D 2j ) = (1,0,0,1)) = 1/8: from C 2j = we conclude that Bob 
measured the 2j th transmission. This choice occurs with probability 1/2 and also 
guarentees C 2 j-i — 1 and D 2 j-i — 0. As D 2 j = 1 the result of Bob's measurement 
is e; the latter event has probability 1/2. If Bob does not detect a particle (i. e., the 
result of his measurement is e) the probability that C (resp. V) detects a particle, is 
1/2. Consequently, we obtain p((C 2 j-i,C 2 j,D 2 j-i,D 2 j) = (1,0,0,1)) = 1/8. 

• p({C 2 j-i, C 2 j, D 2 j-i, D 2 j) — (0, 1, 1, 0)) = 1/8: the same argument as in the previ- 
ous case with 2j and 2j — 1 interchanged. 

As the probabilities of these cases sum up to 1 already, no other values of the tuple 
(Czj-ij C 2 j, D 2 j-i, D 2j ) can occur. 

Next, we show that measurements of Tracy which are appropriate for detecting whether 
bits have been transmitted or not change the statistics in Step 6 of the above transmission 
protocol. For this we use a field-theoretic formulation of the quantum physical situation. 
The particles used in the protocol can be Bosons or Fermions, here we restrict our attention 
to Bosons. -Hence the field-theoretic description will represent the system in a symmetric 
Fock spacea. If an arbitrary particle is described in a Hilbert space C the corresponding 
Bosc field is described in the symmetric Fock space T + (C). Here we take C := L 2 (M 3 ), the 
set of square integrable functions (cf. the work of PrugoveckiQ, for instance) as one-particle 
space. 

Let A C R 3 be the area of Alice's laboratory and X := M 3 its set-theoretic complement. 
Moreover, for R C R 3 we set 

C R :={/e£|V 2 /e(M 3 \i?):/(j/) = 0}. 

So in particular we have L — La ® £-x ■ Moreover, the algebra of operators acting on 
T + (C) can be split up into a tensor product of those which can be measured in Alice's 
laboratory and those which can be measured outside due to the formula 

T + {C A ®Cx) = T + (C A )®T+(C X ). (3) 

To express this more precisely, we can make use of the concept of a Positive Opera- 
tor Valued Measure (POVM)El. A POVM is a family (a;); e j of positive operators with 
a i — 1; ^ describes the most general quantum mechanical measurement. As Tracy 
does not have access to Alice's laboratory, every measurement which she can perform is 
a POVM of the form (ai) = (1 (£> hi) where bi is an arbitrary positive operator of the 
right-hand component of the tensor product (|^). a 

Now we distinguish between the two possible cases: 

1. Alice transmits a particle to Bob: in this case the state vector of the field is contained 
in the one-particle subspace of C. In this subspace the state can be described by a 
wave function \tp) e C. 

a This is a locality assumption for the laws of physics: the operators which represent measurements 
performed inside a certain area Jtct trivially on the Hilbert space corresponding to the fields outside the 
area. This is formalized by HaagcJ in a rather axiomatic approach. 
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At some time T\ one part of the wave function leaves Alice's Laboratory and returns 
at a time T2- Hence for t € [Ti,T2] the state \tp(t)) splits into a sum 

\m) :=^(hM*)> + hM«)» 

where the describe the outputs of the two branches of Alice's beam splitter B\\ 

ipi is the part of the wave function which is to remain in Alice's laboratory, and ip2 
is the part of the wave function which is to be transmitted over the communication 
channel. If we consider \ip(t)) canonically as an element of the Fock space T + (Ca)® 
J r+ (Cx) we obtain 

|^(t)> = |VA(t)>®|0) + |0)®|Vx(*)). 

where |0) denotes the 0- particle state in T + {Ca) and T + {Cx), respectively. Since 
at no time more than "half of the wave function" is outside the laboratory, the norm 
of \tpx(t)} is not greater than l/y/2 at any time t. 

2. Alice does not transmit a particle to Bob: in this case the state of the quantum field 
is for every time t given by the vector \<fi(t)} = |0) <£> |0), i.e., the 0-particle state of 
T+{C A )®T+{C X ). 

Tracy's measurement can only distinguish between the states \4>(t)) and \ip(t)) if the 
corresponding POVM (<Zj) contains an operator cti with the property 

m)\^\m) + m)\"i\<t>(t))- w 

On the other hand, a measurement apparatus can only be non-disturbing if the measured 
states are eigenvectors of every a.j of the POVM b . Hence Tracy's attack has to be a 
measurement with the property that \i/>(t)} is an eigenvector of each ai = 1 <g> bi. One 
checks easily that this can only be the case if |0) and \ipx(t)} are eigenvectors of bi with 
the same eigenvalue: 

Remark 1 With the above notation \"ip(t)) can only be an eigenvector of each a% = 1 ® bi 
if |0) and \^px(t)) are eigenvectors of bi with the same eigenvalue. 

Proof. The two components \ipA(t)) ® |0) and |0) <8> IV'^(^)) °f IVK^)) are contained in the 
mutually orthogonal vector spaces \ip A ) ^> ^ + (^x) and |0) <E> !F + (Cx), respectively. Both 
of these vector spaces are invariant under 1 ® 6j, and hence the claim follows. □. 

Remark [j] implies that the observable 1 ® bi cannot distinguish between the state |0) 
and the state \ip{t)) in the sense that the right-hand and the left-hand side of equation ([3]) 
coincide. 

So assuming that whenever the part of the wave function outside Alice's laboratory is 
modified then there can be no perfect destructive (constructive) interference in the branch 
corresponding to Alice's detector D (C), Tracy's traffic analysis also modifies the statistics 

b In Kraus' worl<0 one can find equations describing the connection between the POVM and the corre- 
sponding effect of the measurement on the state. 
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in Step 6 of the transmission protocol. Qualitatively, this argument also holds for joint 
attacks (cf., e.g., Biham and Mom): as at no time more than one particle is present 
on the channel, such an attack had to access single particles in order to store quantum 
information for a later joint measurement on the memory. 

A quantitative analysis of the information-disturbance trade-ofJj had to make use of 
the fact that there is no time at which the norm of the part outside the laboratory is 
greater than l/y/2. However, such an analysis is beyond the scope of this paper, and we 
do not pursuit this topic any further here. 

3. Conclusions 

We have demonstrated (without giving a quantitative analysis) that in principle quantum 
mechanical phenomena can be used to detect a perpetual traffic analysis. In other words, 
it is possible to detect an attacker who perpetually measures the amount of traffic on a 
communication channel even in the case that the attacker does not read the transmitted 
data itself. 
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